Method and apparatus for detecting intrusions on a computer system
First Claim
1. A method of detecting intrusions on a computer, comprising:
- identifying an internet protocol field range describing fields within internet protocol packets received by a computer;
establishing a connectivity range describing a distribution of network traffic received by said computer;
determining an internet protocol field threshold and a connectivity threshold from said internet protocol field range and said connectivity range, respectively;
during said operation of said computer, calculating values for said internet protocol field range and said connectivity range; and
comparing said values to said internet protocol field threshold and said connectivity threshold so as to identify an intrusion on said computer, utilizing a processor;
wherein a plurality of said internet protocol field ranges are provided including an IP address range and a packet length, and a plurality of said internet protocol field thresholds are provided including an IP address range threshold and a packet length threshold.
10 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting intrusions on a computer includes the step of identifying an internet protocol field range describing fields within internet protocol packets received by a computer. A connectivity range is also established which describes a distribution of network traffic received by the computer. An internet protocol field threshold and a connectivity threshold are then determined from the internet protocol field range and connectivity range, respectively. During the operation of the computer, values are calculated for the internet protocol field range and connectivity range. These values are compared to the internet protocol metric threshold and connectivity metric threshold so as to identify an intrusion on the computer.
-
Citations
23 Claims
-
1. A method of detecting intrusions on a computer, comprising:
-
identifying an internet protocol field range describing fields within internet protocol packets received by a computer; establishing a connectivity range describing a distribution of network traffic received by said computer; determining an internet protocol field threshold and a connectivity threshold from said internet protocol field range and said connectivity range, respectively; during said operation of said computer, calculating values for said internet protocol field range and said connectivity range; and
comparing said values to said internet protocol field threshold and said connectivity threshold so as to identify an intrusion on said computer, utilizing a processor;
wherein a plurality of said internet protocol field ranges are provided including an IP address range and a packet length, and a plurality of said internet protocol field thresholds are provided including an IP address range threshold and a packet length threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system, comprising:
-
a processor for; identifying an internet protocol field range describing fields within internet protocol packets received by a computer; establishing a connectivity range describing a distribution of network traffic received by said computer;
determining an internet protocol field threshold and a connectivity threshold from said internet protocol field range and said connectivity range, respectively;
during said operation of said computer, calculating values for said internet protocol field range and said connectivity range; and
comparing said values to said internet protocol field threshold and said connectivity threshold so as to identify an intrusion on said computer, utilizing a processor;
wherein said system is operable such that a plurality of said internet protocol field ranges are provided including an IP address range and a packet length, and a plurality of said internet protocol field thresholds are provided including an IP address range threshold and a packet length threshold.
-
-
23. A computer program product embodied on a non-transitory computer readable medium, comprising:
- computer code for identifying an internet protocol field range describing fields within internet protocol packets received by a computer;
computer code for establishing a connectivity range describing a distribution of network traffic received by said computer;
computer code for determining an internet protocol field threshold and a connectivity threshold from said internet protocol field range and said connectivity range, respectively;
computer code for during said operation of said computer, calculating values for said internet protocol field range and said connectivity range; and
computer code for comparing said values to said internet protocol field threshold and said connectivity threshold so as to identify an intrusion on said computer, utilizing a processor;
wherein said computer program product is operable such that a plurality of said internet protocol field ranges are provided including an IP address range and a packet length, and a plurality of said internet protocol field thresholds are provided including an IP address range threshold and a packet length threshold.
- computer code for identifying an internet protocol field range describing fields within internet protocol packets received by a computer;
Specification